On January 25, 2013, the Department of Health and Human Services (HHS) issued final rules modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules (HIPAA Rules) under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA), and other rules (known as the Omnibus Rule). As background, the HIPAA Rules apply to covered entities – group health plans, health care providers and health care clearinghouses – to restrict their use and disclosure of an individual’s protected health information (PHI). The Omnibus Rule expands individuals’ privacy rights and protections related to their PHI, with a focus on addressing the implications of ever-expanding electronic technology, and strengthens the government’s ability to enforce the law. The Omnibus Rule becomes effective March 26, 2013 and requires compliance by covered entities and business associates by September 23, 2013 with limited transition relief available for updating certain existing business associate agreements.

Key Highlights for Group Health Plans

Employers that sponsor group health plans (generally, medical, dental, vision, health flexible spending accounts, health reimbursement arrangements, and some employee assistance programs) will have to review documentation and current practices related to their health plans and make modifications as necessary to comply with the Omnibus Rule. Drinker Biddle plans on issuing a series of alerts, each focusing on specific changes made by the Omnibus Rule in greater detail and their impact on group health plans. As a brief introduction to the changes, the Omnibus Rule comprises four final rules:

Imposes direct liability on business associates that create, receive, maintain or transmit PHI (including subcontractors) for compliance with certain requirements of the HIPAA Privacy and Security Rules

Implements increased limitations on the use and disclosure of PHI for marketing and fundraising purposes

Prohibits the sale of PHI without authorization, subject to limited exceptions

Expands an individual’s right to receive electronic copies of his or her health information, and to restrict disclosures to a health plan regarding treatment for which the individual fully paid out of pocket

Requires the Secretary of HHS to investigate a complaint if a preliminary investigation of the facts indicates a possible HIPAA violation due to willful neglect

Increases penalties for noncompliance based on the level of culpability, with a maximum penalty of $1.5 million per violation

3. Modifications to Breach Notification Rules for unsecured PHI

Creates a presumption that all unauthorized acquisition, access, use, or disclosure of unsecured PHI is a breach. A covered entity or business associate can overcome the presumption of breach by performing a risk assessment to demonstrate that there is a low probability that the PHI was compromised.

Drinker Biddle Note: This is a significant change from the breach notification interim final rule that HHS issued in 2009. HHS has indicated that it intends to provide more guidance on what “compromised” means, and to generally assist covered entities with the assessment process.

Requires notification to individuals, HHS and, in some cases, the media of a breach of unsecured PHI

4. Modifications to HIPAA Privacy Rule as required by GINA to prohibit health plans from using or disclosing genetic information for underwriting purposes

Compliance Checklist

The following Compliance Checklist itemizes the documentation and practices that plans will want to review and revise, as necessary, to comply with the new rules. Our series of alerts is designed to provide plan sponsors with an explanation of the changes in the Omnibus Rule and their significance for plan sponsors. The alerts will describe action items sponsors should address as they work toward compliance.

Business Associate Relationships and Agreements

Policies and Procedures

Security Assessment and Breach Notification Plan

Plan Document and SPD

Notice of Privacy Practices

Individual Authorization for Use and Disclosure of PHI

Workforce Training

Issues Not Addressed in the Omnibus Rule

Further guidance is anticipated related to two issues affecting group health plans that are not addressed in the Omnibus Rule:

Minimum Necessary - When business associates use, disclose, or request PHI, HIPAA requires them to limit PHI to the minimum necessary needed to accomplish the intended purpose. Specifics related to determining “minimum necessary” are not outlined in the Omnibus Rule and further guidance on the topic is needed.

Accounting of Disclosures - A proposed rule on accounting of disclosure changes was released in May 2011 and has not yet been finalized. These changes will require covered entities and business associates to account for disclosures of PHI to carry out treatment, payment, and health care operations if such disclosures are made through an electronic health record. The proposed rules indicate covered entities and business associates are first expected to comply beginning 180 days after the effective date of the final regulations.

Compliance Deadline

Group health plans have until September 23, 2013 to comply with the new requirements under the Omnibus Rule. Plan sponsors should begin to take steps to update their HIPAA compliance under the Omnibus Rule, especially in light of the significant expansion of the enforcement and penalty structure, and a recent increase in the HHS Office of Civil Rights’ audit activity related to health providers and group health plans.

Please look out for upcoming issues in our series on changes under the Omnibus Rule and what group health plans can do to ensure compliance with the new laws.